漏洞平台

POC详情： 5a3f7a429fd253f332be7ed9a6205ef31854c3bc

来源

https://github.com/hlong12042/CVE-2017-9248

关联漏洞

标题： ASP.NET AJAX和Sitefinity Progress Telerik UI 安全漏洞 (CVE-2017-9248)
描述：ASP.NET AJAX是一个用于ASP.NET的控件；Sitefinity是一个开源的用于构建企业网站以及企业内部网络的平台。Progress Telerik UI是美国Telerik公司开发的一个用于处理AJAX的ASP.NET控件的UI（用户界面）。 ASP.NET AJAX R2 2017 SP1之前的版本和Sitefinity 10.0.6412.0之前的版本中的Progress Telerik UI的Telerik.Web.UI.dll存在安全漏洞，该漏洞源于程序没有正确的保护Telerik.

介绍

# CVE-2017-9248 | Telerik ASP.NET AJAX

## Description

Module Text Editor in Telerik UI for ASP.NET AJAX provide feature "File Manager" in URI ``/Telerik.Web.UI.DialogHandler.aspx``.

The full URI with params is

```
/Telerik.Web.UI.DialogHandler.aspx?DialogName=DocumentManager&renderMode=2&Skin=Default&Title=Document%20Manager&dpptn=&isRtl=false&dp=XXX
```

The vulnerability occur in the ``dp`` param. It is an serialized object, containing other param for config the File Manager Box, such as directory, insecure file extension, ...

Because of lost secure in the logic code of the affected versions, there are some way to bruteforce each character of the encryption key.

Briefly, the equation of the encryption is xxx => decode_base64 =>  xor(,key) => decode_base64  => deserialize

When fuzzing the param ``dp``, we can receice 03 different message:

- Invalid length

![alt text](images/image.png)

- Containing non-base64 character

![alt text](images/image-1.png)

- extract_params cannot be using. (XOR is susccessfully)

![alt text](images/image-2.png)

Because XOR is the alg which encrypting each character of the output, we can use it to bruteforce each one of the right key encryption

# Impact

The Vulnerability do not only provide the tree folder of the webroot, the attacker can config the allow file-upload pattern to *.*

At the results, attacker can upload webshell and Remote the victim server.

# Reproducing

Use the python script to automatically bruteforce the encryption key and create the URL to the File Manager box of webroot

![alt text](images/image-3.png)

![alt text](images/image-4.png)

Create a custom folder and upload a webshell aspx onto it and RCE!!!

文件快照


 [4.0K]  /data/pocs/5a3f7a429fd253f332be7ed9a6205ef31854c3bc
├── [4.0K]  images
│   ├── [ 20K]  image-1.png
│   ├── [ 13K]  image-2.png
│   ├── [142K]  image-3.png
│   ├── [101K]  image-4.png
│   ├── [ 19K]  image-5.png
│   └── [ 14K]  image.png
├── [1.7K]  README.md
├── [ 16K]  script.py
└── [1.1K]  web.config

1 directory, 9 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。